Your HR and Payroll compliance and policy solution! Comply with federal, state, and international laws, find answers to your most challenging questions, get timely updates with email alerts, and more with our suite of products.

Ethics

This article highlights the critical role that continuous monitoring, periodic review,
and ongoing maintenance activities in ensuring the efficacy of any ethics and compliance
program and the viability of relevant internal controls.

Thomas Rath is a member of the Government Contracts practice at Dentons in Washington,
where he provides contractors advice and representation in connection with bid protests,
disputes and contract compliance matters, including audits, investigations and performance
disputes.

Previous installments of this series have explained the benefits to a government contractor
of implementing an effective ethics and compliance program. We have also discussed
the risks associated with overlooking key compliance requirements. Building a robust
system to ensure compliance is in a contractor's self-interest for several reasons.
First, the consequences associated with violations can be severe. Second, a documented
and thorough ethics and compliance program can help a government contractor demonstrate
value to the government and thereby improve relationships with the company's customers.
And third, companies are obligated by regulation and contract to implement an ethics
and compliance program.

Significantly, a contractor's failure to maintain that robust program can undermine
and jeopardize all the effort expended in building an ethics and compliance program.
This article highlights the critical role of continuous monitoring, periodic review
and ongoing maintenance activities in ensuring the efficacy of any ethics and compliance
program and the viability of relevant internal controls. A government contractor should
treat its ethics and compliance program as an evolving system of controls, and continuous
monitoring is critical to efficacy.

Continuous monitoring and maintenance is crucial to the success of a government contractor's
ethics and compliance program. The reasons are plentiful. Changing regulations can
make policies obsolete or inadequate. Evolving business roles can add new risks and
requirements that must be accommodated.

New and additional contractual obligations may influence required policies, as well
as internal control mechanisms. Finally, for some contractors, monitoring and maintenance
are not just a good idea but are requirements of a code of conduct consistent with
applicable regulations, as well as necessary to demonstrate to government investigators
and regulators that the contractor has an effective ethics and compliance program.

An Evolving Legal Landscape

The laws, regulations and contract clauses affecting government contractors are subject
to frequent revisions, and the sheer volume of regulations applicable —
or potentially applicable — to government contractors makes the job of monitoring
for changes vital. When changes occur, they may require significant revisions to a
contractor's ethics and compliance program and the implementation of additional internal
controls.

Changes to regulations can affect ethics and compliance programs in several ways.
For example, recent changes have been made to the prohibition on human trafficking
set forth at Federal Acquisition Regulation (FAR) 52.222-50. The amendment added a
series of prohibited activities applicable to all government contractors. For instance,
the rule bans “deny[ing] access by an employee to the employee's identity or immigration
documents” and mandates that an employment agreement, if required, must be provided in a language
understood by the employee. Other rules incorporate local labor laws and safety standards in foreign countries. Finally, for contractors providing services or supplies outside the U.S. with a contract
value higher than $500,000, a compliance plan must be implemented with specific features
enumerated in the rule.

As a consequence of the anti-human trafficking amendment, contractors must now consider
additional training and awareness programs for U.S. managers and employees who need
to know about the prohibited activities and be prepared to avoid them. If non-English-speaking
employees are used, the contractor may need to consider drafting foreign-language
employment agreements.

The new clauses also require contractors working overseas to perform risk assessments
and other compliance activities to ensure that the company complies with local rules.
Finally, contractors who meet the applicable thresholds must draft an entirely new
compliance plan that addresses employee awareness of prohibited activities; procedures
for employees to safely report potential violations; recruitment, wages and housing
consistent with the rule's restrictions; and procedures to prevent violations by subcontractors.

While not all rule changes will have the same impact, the changes to the anti-human
trafficking rule amply illustrate why contractors need to stay informed as the legislative
and regulatory landscape shifts. An ethics and compliance program that was designed
to satisfy the requirements as they existed in 2014 would not prepare a company to
comply with the amended rule. By failing to stay abreast of such developments, the
company could find itself in violation of the amended rule without engaging in any
wrongdoing.

Business Changes

Contractors' risk profiles also change as they grow their businesses, and their ethics
and compliance programs must be amended to keep up. Many otherwise welcome events
may give rise to new risks that should cause the company to reassess its ethics and
compliance program.

As an example, imagine a company that wins a new contract larger than any of its previous
government awards. Because many government contracting regulations are triggered by
dollar-value thresholds, that new contract might come with new compliance needs.

A key example in the area of ethics and compliance is FAR 52.203-13. That clause is
required in contracts valued at more than $5.5 million with a performance period greater
than 120 days. A contractor might be thrilled to win such a contract for the first time. But under
FAR 52.203-13, the award comes with substantial requirements to implement a code of
business ethics and conduct, exercise due diligence to prevent and detect criminal
conduct, promote an ethical organizational culture, and disclose violations involving
fraud and other offenses to the government if the contractor has “credible evidence”
of such violations.

Similarly, a company might grow by acquiring or merging with another entity. This
kind of event also imposes compliance risks. The combination could create organizational
conflicts of interest. The combined entity could also be exposed to regulatory requirements
that are new to employees on one or both sides. Indeed, the acquiring or acquired
business may not have considered itself a government contractor before the deal took
place.

All of these issues illustrate that a growing and changing business requires an evolving
ethics and compliance program. Thus, an effective government contractor ethics and
compliance program should take company changes into account and build opportunities
for review, monitoring and assessment of these corporate changes into its overall
ethics and compliance program.

Monitoring Required by Regulations and Sentencing Guidelines

Specific requirements for ongoing monitoring activities appear in both the FAR and
other controlling guidance. The most explicit requirement is FAR 52.203-13, which
requires certain contractors to include monitoring and assessment as part of their
business ethics awareness and compliance programs and internal control systems. Specifically, the rule requires “[p]eriodic reviews of company business practices,
procedures, policies, and internal controls for compliance with the Contractor's code
of business ethics and conduct.” These reviews must include:

“Monitoring and auditing to detect criminal conduct”

“Periodic evaluation of the effectiveness of the business ethics awareness and compliance
program” and

“Periodic assessment of the risk of criminal conduct, with appropriate steps to …
reduce the risk of criminal conduct identified through this process.”

These requirements specify some of the precise review and assessment activities that
contractors must undertake. Other rules are less exact but amount to a similar practical
requirement. For instance, contractors subject to FAR 52.223-6 must create an “
ongoing drug-awareness program”
and “[m]ake a good faith effort to
maintain a drug-free workplace.” Similarly, the equal employment opportunity provisions of FAR 52.222-26 require contractors
to take affirmative action to prevent discrimination in hiring
and throughout the course of employment. Clauses like this require a continuous effort to remain in compliance, even though
the nature of that effort is up to the contractor.

Finally, under the U.S. Sentencing Commission's Sentencing Guidelines, an effective
compliance and ethics program can reduce the amount of any fine imposed on a company
as a result of a criminal violation. To be considered “effective,” a compliance and ethics program must include reasonable
provisions for monitoring and assessment, including steps to ensure that the program
is followed, “monitoring and auditing to detect criminal conduct,” periodic evaluation
of the program's effectiveness, and a system through which employees can report potential
criminal conduct.

Additionally, the Sentencing Guidelines require that companies take steps after a
violation is discovered to improve their programs and prevent future problems. These provisions underscore the theme of this article that a compliance and ethics
program is not complete without effective provisions for ongoing monitoring and assessment.

Reviewing and Monitoring After Implementation

Effective review and assessment requires a holistic and systematic approach and a
commitment on the part of the contractor to: (1) keep its ethics and compliance program
current;
(2) verify that the program is working; and (3) fix any part of the program that is
not. With these goals in mind, this section will offer some key observations and suggestions
on when and what to review and who should be involved.

Scheduling Monitoring and Maintenance Events

The timing of monitoring and maintenance activities should have several layers, ranging
from continuous monitoring for legal changes to periodic reviews of the entire program.
Below are ideas for both of these steps, and a few points in between.

Ongoing monitoring: As the discussion of rule changes above illustrated, one of the most disruptive events
a contractor's ethics and compliance program can face is an amendment to the rules
applicable to the company. But these changes do not happen overnight. Most regulatory
changes, including changes to FAR clauses, are first proposed in the
Federal Register, after which agencies will accept comments before issuing a final rule.

Legislative changes are also the result of long processes. Contractors should plan
to learn about these changes before they happen by assigning an employee or an external
adviser to monitor for relevant changes. A good target is monitoring for new obligations
on a monthly basis. On a day-to-day basis, reviewing trade press in which relevant
changes may be discussed is also a helpful practice.

Event-based reviews: Certain events have a high probability of exposing a company to new risks, and companies
should accordingly reassess their ethics and compliance programs at those times. Included
in this category are new contract awards, mergers and acquisitions, offering a new
line of services, and launching a new product. Each of these events can impose new
obligations on the company, and a new risk assessment should be conducted accordingly.
If new requirements are encountered, policy changes, new training curricula and other
steps may be required to keep the ethics and compliance program running as intended.

Lessons learned: A related category of event-based review takes place after a compliance violation
occurs. Companies should plan an investigation of the incident itself to find out
what happened, and should review policies and procedures in the affected compliance
area to identify how improvements could address similar issues in the future. Additionally,
companies should analyze whether enhanced training is necessary for employees who
could make similar mistakes.

Annual or periodic review: Annual or periodic reviews are a key part of monitoring and assessment of a working
ethics and compliance program. The function of the annual or periodic review is to
give the company a complete assessment of how its ethics and compliance program is
working on a regular basis. Companies should schedule these reviews on a recurring
basis to conduct a comprehensive review of the policies, training and other programs
that make up the ethics and compliance program as a whole.

What to Review

The assessment events discussed above focus on complementary and overlapping subjects.
First, monitoring for legal changes and event-based reviews are necessary to renew
the company's risk assessment and risk profile. As discussed in the first article
in this series, compliance risk assessments allow for the identification of compliance
obligations and risks.

Once a contractor identifies these risks, it should create a risk profile to organize
and tailor the company's response to these obligations. When monitoring activity identifies
a new legal rule, or a new contract triggers an event-based assessment, the company
should repeat these initial steps with respect to the new risks and obligations, and
take additional steps as necessary.

For example, using the scenarios addressed above, a contractor that has received its
first contract of more than $5.5 million would conduct a risk assessment that would
uncover the applicability of FAR 52.203-13 to the new contract. At that point, the
contractor would be ready to devise a plan outlining the necessary features of the
code of conduct and other requirements of that clause, setting a timeline for actions
necessary to bring the company into compliance, and assigning staff and resources
to complete those tasks.

Reviews conducted after a violation has occurred naturally have a different subject:
understanding the incident and preventing it from happening again. Investigating what
has already occurred is important so that the company understands the scope and potential
consequences of the violation. Additionally, internal investigation can enable the
company to cooperate with any enforcement action and potentially earn more lenient
treatment. Once the company addresses the immediate violation, it should turn to improving
its policies.

This step depends on the circumstances of the violation, such as whether the violation
was a mistake or intentional, whether it was committed by one bad employee or indicative
of a systemic problem, and whether the risk was overlooked in existing policy or addressed
by the policy in an ineffective manner. A contractor should capitalize upon the knowledge
gained through such a violation and take concrete, focused steps to ensure that the
program is adjusted to prevent the recurrence of such an incident.

Lastly, annual or periodic reviews are scheduled to provide an assessment of the efficacy
of the ethics and compliance program as a whole. These reviews should assess ethics
and compliance from the ground up. The review should include a risk assessment, the
first step in the ethics and compliance program. It should ensure that those risks
are addressed in the company's policies. And it should ask whether the policies and
procedures in place are working, and if not, how they can be improved.

By layering review and monitoring events in this fashion, different parts of the ethics
and compliance program come up for review as necessary. The annual or periodic review
fills gaps between more focused reviews, and studies the whole program even when everything
appears to be functioning.

Who Should Be Involved

Review and monitoring of an ethics and compliance program will be most effective if
these activities are institutionalized as a central component of the program itself.
This is best achieved by implementing policies that seek broad engagement across all
levels of company personnel and that assign clear responsibilities to those involved.

In some cases, outside advisers may also be necessary. The precise details should
be customized to the company, but we suggest a basic, adaptable framework using a
compliance officer with specified leadership tasks, delegated responsibilities for
other company managers, and feedback opportunities for all employees.

A compliance officer is an individual within the company who is responsible for taking
the lead and overseeing the functions of the ethics and compliance program. The tasks
assigned to the compliance officer may include approving policies and other program
documentation, reviewing suggestions for new policies and procedures, receiving and
acting on reports and risk assessments, and delegating responsibility for program
tasks.

Having a dedicated leader dispels ambiguity as to who is responsible for compliance
tasks, so assigning a compliance officer brings clarity and accountability to the
ethics and compliance program. Moreover, the role of the compliance officer is scalable
with company size, as it may be filled by a manager with other responsibilities in
a small company or by dedicated personnel in a larger business.

Assigning leadership roles to a compliance officer is not intended to compartmentalize
the ethics and compliance program away from the operations it affects. To avoid this,
the compliance officer should delegate responsibility to other leaders within the
company. For instance, a company's human resources managers should be involved in
developing, implementing and reporting on policies and procedures for equal employment
opportunity compliance, drug-free workplace policies and compliance with applicable
wage and hour regulations.

Similarly, sales managers and contract managers should be involved in developing and
implementing compliance policies and procedures surrounding the company's pursuit
of new contracts, including procedures designed to prevent illegal kickbacks and false
claims. In large organizations, department leaders assigned these roles may be formally
organized into a compliance council that has a regular meeting schedule and is led
by the compliance officer.

But even without a formal council structure, compliance officers and managers with
delegated compliance monitoring tasks should collaborate in a manner that allows the
compliance officer to steer the program with the benefit of the managers' ground-level
knowledge of their area of the business.

Feedback and reporting opportunities for lower-level employees who are not directly
involved in monitoring and assessment are also important. Some rules require contractors
to provide employees with opportunities to report potential violations without fear
of reprisal.

Even without these rules, contractors should develop anonymous reporting opportunities
so that they can learn about problems as soon as possible. Employees should also have
opportunities to give feedback on issues other than potential violations. Learning
employee opinions on policies, procedures and training can help the company assess
the sustainability and practicality of existing programs and help build a culture
of compliance within the company.

Finally, some companies and situations may call for outside advisers, such as attorneys,
consultants and accountants with expertise in government contracting requirements.
Smaller companies may need to rely on outside advisers to monitor the legal landscape
for new risks, review new contracts, and conduct periodic reviews of their ethics
and compliance programs. Larger companies that have internalized these functions may
still engage outside help for more complex problems and provide an independent perspective.

Conclusions, Tips and Tricks

This three-article series has stressed the importance of developing and maintaining
an effective, custom-designed and scalable ethics and compliance program. Contractors
face an array of regulations that affect everything from cost accounting to affirmative
action. Enforcement actions resulting from noncompliance can lead to severe penalties
and business losses.

As this article has explained, however, the goal is not to generate a series of documents
that sit in a binder gathering dust. Rather, a company must be committed to using
the policies, procedures, and training and awareness programs it develops to generate
and maintain an ongoing culture of compliance.

The monitoring and assessment activities described in this article further that goal
by suggesting a framework that allows a company to assess and adjust its ethics and
compliance program in response to noncompliant behavior, new business opportunities,
and new or changing regulations. Failure to keep a company's ethics and compliance
program up to date will jeopardize all of the benefits of creating the program in
the first place, including mitigating the risk of noncompliance and providing demonstrable
evidence of the company's commitment to ethical business to the government.

While the points above give a high-level outline of the activities necessary to successfully
monitor and review an ethics and compliance program as a company evolves over time,
this article concludes by offering the following finer points to consider.

Organize your compliance policies to anticipate changes. A contractor's monitoring and assessment programs are virtually guaranteed to reveal
new circumstances and requirements that will require the company to update and adapt
its policies. It is wise to anticipate these changes in the structure of your ethics
and compliance policies.

Number your policies in a format that can be expanded. Keep a revision history that
tracks the date of new issuances to help users identify the current policies. As new
policies are created and existing policies are enhanced, establish a process to communicate
the new and revised policies to employees. Also, consider maintaining all policies
electronically so that employees can access the most up-to-date versions.

Develop a policy on policies. Controlling your company's policies and procedures is an important part of maintaining
compliance after a program goes into effect. For this reason, companies should consider
including a policy that addresses how new policies are adopted and how existing policies
are enhanced. This policy on policies may also delegate responsibility for keeping
policies up to date, and nominate a function to handle suggestions for improvements.

Make sure the writing matches reality. A contractor's review and assessment activities should focus not only on whether
policies are well designed and addressing the right risks, but also on whether the
company is actually following its own rules. A policy that is not being carried out
may be unrealistic or impractical, indicating that revisions should be made to ensure
compliance in a different manner. Alternatively, widespread noncompliance could indicate
a deeper problem. In either case, though, a policy that is not followed is worth as
much as the paper it is written on. As such, a contractor should build ongoing review
and assessment into its compliance program to avoid such disconnects and catch problems
early.

Tailor monitoring and maintenance activities to your company. As with other aspects of an ethics and compliance program, monitoring and assessment
activities should be designed specifically for each company's needs. In some places,
a full review may be warranted more often than annually. Companies with more complex
regulatory obligations may need more elaborate training programs subject to frequent
checks and updates. Effective monitoring and assessment should be designed around
these requirements, resulting in a program that is unique and tailored to the company.

All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to books@bna.com.

Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)

Notify me when updates are available (No standing order will be created).

This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to research@bna.com.

Put me on standing order

Notify me when new releases are available (no standing order will be created)